unusual to syntax creating what looks like an open relay (Postfix2.2)
in [Postfix]
|
Prev: Error: TLS not available due to local problem
Next: postfix to BorderWare MXtreme Mail Firewall SMTP server delivery fails?
From: "Curtis H. Wilbar Jr." on 27 Jan 2010 16:02 Running a Postfix 2.2 server... The server won't accept user(a)somewhereelse.com@ourserver.com But, it is accepting @somewhereelse.com:user(a)ourserver.com We will be upgrading Postfix soon, but in the meantime, how do I best block this ? we have permit_sasl_authenticated, permit_mynetworks, and reject_unauth_destination for smtpd_recipient_restrictions It doesn't really mail relay (it ends up trying to mai user(a)ourserver.com I'd like to disallow this. Thanks for any input, -- Curt
From: Wietse Venema on 27 Jan 2010 16:09 Curtis H. Wilbar Jr.: > > Running a Postfix 2.2 server... > > The server won't accept user(a)somewhereelse.com@ourserver.com > > But, it is accepting @somewhereelse.com:user(a)ourserver.com This is historical syntax, and is deprecated. For compatibility, Postfix accepts the syntax and processes it as if the client had sent "user(a)ourserver.com" instead. > We will be upgrading Postfix soon, but in the meantime, how do I best > block this ? It is harmless. Wietse
From: "Curtis H. Wilbar Jr." on 27 Jan 2010 16:37 Wietse Venema wrote: > Curtis H. Wilbar Jr.: > >> Running a Postfix 2.2 server... >> >> The server won't accept user(a)somewhereelse.com@ourserver.com >> >> But, it is accepting @somewhereelse.com:user(a)ourserver.com >> > > This is historical syntax, and is deprecated. > > For compatibility, Postfix accepts the syntax and processes it as > if the client had sent "user(a)ourserver.com" instead. > > >> We will be upgrading Postfix soon, but in the meantime, how do I best >> block this ? >> > > It is harmless. > I discovered as much... but it is showing up on a PCI scan... and while I can submit it as a false positive, is there a way to block this syntax at the RCPT TO phase ? Thanks, -- Curt > Wietse > >
From: Noel Jones on 27 Jan 2010 16:59 On 1/27/2010 3:37 PM, Curtis H. Wilbar Jr. wrote: > Wietse Venema wrote: >> Curtis H. Wilbar Jr.: >>> Running a Postfix 2.2 server... >>> >>> The server won't accept user(a)somewhereelse.com@ourserver.com >>> >>> But, it is accepting @somewhereelse.com:user(a)ourserver.com >> >> This is historical syntax, and is deprecated. >> >> For compatibility, Postfix accepts the syntax and processes it as >> if the client had sent "user(a)ourserver.com" instead. >> >>> We will be upgrading Postfix soon, but in the meantime, how do I best >>> block this ? >> >> It is harmless. > > I discovered as much... but it is showing up on a PCI scan... and while > I can submit it as a false positive, is there a way to block this syntax > at the RCPT TO phase ? use a regexp or pcre check_sender_access map. A very basic example: # /etc/postfix/sender_access.regexp /^@/ REJECT invalid recipient # main.cf smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_access.regexp -- Noel Jones
From: Wietse Venema on 27 Jan 2010 17:06
Curtis H. Wilbar Jr.: > Wietse Venema wrote: > > Curtis H. Wilbar Jr.: > > > >> Running a Postfix 2.2 server... > >> > >> The server won't accept user(a)somewhereelse.com@ourserver.com > >> > >> But, it is accepting @somewhereelse.com:user(a)ourserver.com > >> > > > > This is historical syntax, and is deprecated. > > > > For compatibility, Postfix accepts the syntax and processes it as > > if the client had sent "user(a)ourserver.com" instead. > > > > > >> We will be upgrading Postfix soon, but in the meantime, how do I best > >> block this ? > >> > > > > It is harmless. > > > > I discovered as much... but it is showing up on a PCI scan... and while > I can submit it as a false positive, is there a way to block this syntax > at the RCPT TO phase ? You might try the Postfix 2.7 smtpd_command_filter feature to replace this input by other input that triggers a reject. For example, this example strips off the text after ":". This leaves the offending part that starts with "@", which is rejected with "strict_rfc821_envelopes = yes". /etc/postfix/main.cf: strict_rfc821_envelopes = yes smtpd_command_filter = pcre:/etc/postfix/cmd_filter /etc/postfix/cmd_filter: /^(@[^,:]+):/ $1 Otherwise, there is no vulnerability, so I am not in a hurry to "fix" it. You can flag it as a false positive. Wietse |